mattnite
/
forgejo-tickets
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Validate proxy download URL host to prevent SSRF 

Fixes #26
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
Matthew Knight 2026-02-17 16:07:31 -08:00
parent e3ef03ddcd
commit c56b803010
No known key found for this signature in database
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
internal/forgejo/client.go
View File

@ -868,7 +868,20 @@ func (c *Client) GetAttachmentURL(apiURL string) (string, error) {
} }
// ProxyDownload fetches a file from the given Forgejo URL with authentication and streams it back. // ProxyDownload fetches a file from the given Forgejo URL with authentication and streams it back.
// The URL host must match the configured Forgejo base URL to prevent SSRF.
func (c *Client) ProxyDownload(downloadURL string) (*http.Response, error) { func (c *Client) ProxyDownload(downloadURL string) (*http.Response, error) {
parsed, err := url.Parse(downloadURL)
if err != nil {
return nil, fmt.Errorf("invalid download URL: %w", err)
}
base, err := url.Parse(c.baseURL)
if err != nil {
return nil, fmt.Errorf("invalid base URL: %w", err)
}
if parsed.Host != base.Host {
return nil, fmt.Errorf("download URL host %q does not match Forgejo host %q", parsed.Host, base.Host)
}
httpReq, err := http.NewRequest("GET", downloadURL, nil) httpReq, err := http.NewRequest("GET", downloadURL, nil)
if err != nil { if err != nil {
return nil, err return nil, err